Personal information for 90,000 patients of a Seattle hospital was exposed after a malware attack earlier this fall, the hospital has admitted.
Systems at Harborview Medical Center and University of Washington Medical Center were infected with malware in October after an employee opened an infected email. This allowed unknown attackers access to data including name, medical record number, addresses, phone numbers and dates of birth, according to Geekwire.
Local news service Q13 Fox reported that the breach did not appear to seek or target patient information, but that social security numbers for up to 15,000 patients may have been accessed, and the hospital’s parent company, UW Medicine, is offering free credit-monitoring to affected patients.
The Seattle Times reports that the attack was discovered and shut down within a day, and that UW Medicine is now working with the FBI. The Times reported that the data accessed for other patients meants “the potential risk of identity theft is very low,” according to a spokesperson for UW Medicine.
UW Medicine said in a statement, “In early October 2013, a UW Medicine employee opened an email attachment that contained malicious software (malware). The malware took control of the computer, which had patient data stored on it. UW Medicine staff discovered this incident the following day and immediately took measures to prevent any further malicious activity.”
“UW Medicine has also implemented a review, training and outreach effort as a result of this incident. The affected patients will receive direct mail correspondence from UW Medicine.”
ESET researcher Stephen Cobb explores some of the issues around storing such sensitive medical data in a detailed blog post here.